Detects activity when a member is added to a security-enabled global group

Read More

Detects activity when a member is removed from a security-enabled global group

Read More

Addition of domains is seldom and should be verified for legitimacy.

Read More

Detects activity when a security-enabled global group is deleted

Read More

Detection of unusual child processes by different system processes

Read More

Detects when an account was created and deleted in a short period of time.

Read More

Detects when an account is disabled or blocked for sign in but tried to log in

Read More

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Read More

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Read More

An attacker can use the SID history attribute to gain additional privileges.

Read More

Detect remote login by Administrator user (depending on internal pattern).

Read More

Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.

Read More

Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"

Read More

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Read More

Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.

Read More

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Read More

Detects when a configuration change is made to an applications AppID URI.

Read More

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Read More

Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

Read More

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Read More

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Read More

Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the nslookup command.

Read More

Detect when authentications to important application(s) only required single-factor authentication

Read More

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Read More

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

Read More

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Read More

Detects S3 Browser utility creating IAM User or AccessKey.

Read More

Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.

Read More

Detects AWS root account usage

Read More

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

Read More

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

Read More

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

Read More

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Read More

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Read More

Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.

Read More

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Read More

Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.

Read More

Detect when users are authenticating without MFA being required.

Read More

Identifies when an user or application modified the federation settings on the domain.

Read More

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Detects when there is a interruption in the authentication process.

Read More

Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

Read More

Monitor and alert for Bitlocker key retrieval.

Read More

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Read More

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

Read More

Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

Read More

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Read More

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Read More

Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.

Read More

Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Read More

Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Read More

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Read More

Detects when changes are made to PIM roles

Read More

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Read More

Detects execution of ChromeLoader malware via a registered scheduled task

Read More

Find local accounts being created or modified as well as remote authentication configurations

Read More

Modifications to a config that will serve an adversary's impacts or persistence

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More

Detects the ld.so preload persistence file. See man ld.so for more information.

Read More

Detects blocked load attempts of revoked drivers

Read More

Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

Read More

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Read More

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

Read More

Detects potential COM object hijacking via modification of default system CLSID.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects a qlogin.exe command attempting to authenticate as the internal _+_PublicSharingUser_ using a GUID as the password. This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.

Read More

Detects the malicious use of a control panel item

Read More

Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.

Read More

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

Read More

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Read More

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

Read More

Detects when a process tries to access the memory of svchost to potentially dump credentials.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache

Read More

Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Read More

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Read More

Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.

Read More

Monitor and alert for device registration or join events where MFA was not performed.

Read More

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

Read More

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Read More

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Read More

Detects DLL sideloading activity seen used by Diamond Sleet APT

Read More

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

Read More

Detects the use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000), which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers exploit development, or to bypass memory protection mechanisms. A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Read More

Detects using register-cimprovider.exe to execute arbitrary dll file.

Read More

Detects a method to load DLL via LSASS process using an undocumented Registry key

Read More

Hunts known SVR-specific DLL names.

Read More

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

Read More

Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

Read More

Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

Read More

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Read More

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Read More

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

Read More

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

Read More

Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks

Read More

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Read More

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Read More

Detect failed authentications from countries you do not operate out of.

Read More

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

Read More

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Read More

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

Read More

Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.

Read More

Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.

Read More

Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.

Read More

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

Read More

Detects when changes are made to the SSH certificate configuration of the organization.

Read More

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Detects when an API access service account is granted domain authority.

Read More

Detects when an Google Workspace user is granted admin privileges.

Read More

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Read More

Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.

Read More

Detects attempts to enable the guest account using the sysadminctl utility

Read More

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Read More

Detects guest users being invited to tenant by non-approved inviters

Read More

Detects remote thread creation from CACTUSTORCH as described in references.

Read More

Detects various execution patterns of the CrackMapExec pentesting framework

Read More

Detects the use of the Dinject PowerShell cradle based on the specific flags

Read More

Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.

Read More

Detects creation of default named pipes used by the Koh tool

Read More

Detects the process injection of a LittleCorporal generated Maldoc.

Read More

Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

Read More

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

Read More

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

Read More

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

Read More

Detects the use of SharpUp, a tool for local privilege escalation

Read More

Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers

Read More

Detects when sign-ins increased by 10% or greater.

Read More

Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.

Read More

Detects an interactive AT job, which may be used as a form of privilege escalation.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Read More

Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.

Read More

Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.

Read More

Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.

Read More

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Read More

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Read More

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

Read More

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Read More

Detects registry key used by Leviathan APT in Malaysian focused campaign

Read More

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Read More

Detects the creation of doas.conf file in linux host platform.

Read More

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

Read More

Detect failed attempts to sign in to disabled accounts.

Read More

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

Read More

Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.

Read More

Detects loading of known malicious drivers via their hash.

Read More

Detects loading of known malicious drivers via the file name of the drivers.

Read More

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

Read More

Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

Read More

Detects when successful sign-ins increased by 10% or greater.

Read More

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

Read More

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Read More

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

Read More

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Read More

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

Read More

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Read More

Detects suspicious modification of crontab file.

Read More

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Read More

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Read More

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Read More

Detects abusing Windows 10 Narrator's Feedback-Hub

Read More

Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.

Read More

Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence

Read More

Monitor and alert on conditional access changes.

Read More

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

Read More

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

Read More

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Read More

Detects the creation of a macro file for Outlook.

Read More

Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1

Read More

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

Read More

Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.

Read More

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Read More

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects OilRig activity as reported by Nyotron in their March 2018 report

Read More

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects when an the Administrator role is assigned to an user or group.

Read More

Detects when a new identity provider is created for Okta.

Read More

Detects when Okta identifies new activity in the Admin Console.

Read More

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

Read More

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

Read More

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

Read More

Detects activity mentioned in Operation Wocao report

Read More

Detects activity mentioned in Operation Wocao report

Read More

Detects the modification of Outlook security setting to allow unprompted execution of macros.

Read More